CN106375160A - Flow monitoring system and flow monitoring method - Google Patents

Flow monitoring system and flow monitoring method Download PDF

Info

Publication number
CN106375160A
CN106375160A CN201610967238.0A CN201610967238A CN106375160A CN 106375160 A CN106375160 A CN 106375160A CN 201610967238 A CN201610967238 A CN 201610967238A CN 106375160 A CN106375160 A CN 106375160A
Authority
CN
China
Prior art keywords
mirror image
image data
flow monitoring
flow
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610967238.0A
Other languages
Chinese (zh)
Inventor
胡炜勍
方勇
刘吉赟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANGHAI UCLOUD INFORMATION TECHNOLOGY Co Ltd
Original Assignee
SHANGHAI UCLOUD INFORMATION TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANGHAI UCLOUD INFORMATION TECHNOLOGY Co Ltd filed Critical SHANGHAI UCLOUD INFORMATION TECHNOLOGY Co Ltd
Priority to CN201610967238.0A priority Critical patent/CN106375160A/en
Publication of CN106375160A publication Critical patent/CN106375160A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/80Actions related to the user profile or the type of traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a flow monitoring system and a flow monitoring method. The flow monitoring system comprises two flow monitoring groups which are located in a first network. Each flow monitoring group comprises an in network device which is configured to reckon the network access flow of a second network into the traffic monitoring groups, at least one shunt switch which is configured to acquire the mirror image data packet of a data packet sent by the in network device, a flow analysis server group which comprises at least one flow analysis server, a shunt server group which comprises at least one shunt server which is configured to acquire the mirror image data packet sent by the shunt switch and send the mirror image data packet of the same session flow to the same flow analysis server through the shunt switch based on the data head of the mirror image data packet. The flow analysis server is located in any one of two traffic monitoring groups. According to the invention, the flow monitoring system and the flow monitoring method can acquire the complete flow of the same session flow.

Description

Flow monitoring system and flow monitoring method
Technical field
The present invention relates to Computer Applied Technology field, more particularly, to a kind of flow monitoring system and flow monitoring method.
Background technology
Deep packet inspection technical is dpi (deep packet inspection, deep message detects) technology is a kind of base In flow detection and the control technology of application layer, as ip packet, tcp, (transmission control protocol passes Transport control protocol discuss) or udp (user datagram protocol, User Datagram Protocol) data flow by based on dpi technology Bandwidth management system when, this system is by the content of deep reading ip payload package come to osi (open system Interconnection, Open System Interconnection) application layer message in seven layer protocols recombinated, thus entirely being applied The content of program, then according to the management strategy of system definition is analyzed to flow.
In prior art, using deep packet monitoring technology detecting system topological diagram referring to Fig. 1.Fig. 1 shows two Flow monitoring group 100a and 100b, each flow monitoring group include point of presence 110 (pop, point-of-presence), The flow analysis servers 130 that the shunting switch 120 being connected with point of presence 110 is connected with shunting switch 120.Flow divides Analysis server 130 is monitored and analyzed to the network access traffic counting same flow monitoring group using dpi technology.Existing In technology, via purpose mac (media access control, the media access control) address of the packet of point of presence 110 It is randomly set to the mac address of arbitrary flow analysis servers 130.However, adopting prior art, the data of same session stream Bag can be randomized to either different flow Analysis server 130, even distributes the flow analysis service of different flow monitoring group Device 130 is analyzed, and each flow analysis servers 130 will not be in communication with each other.Like this, each flow analysis servers 130 cannot reduce all packets of a session stream complete flow information to obtain same session stream.
Content of the invention
The present invention, in order to overcome the defect that above-mentioned prior art exists, provides a kind of flow monitoring system and flow monitoring side Method, it can obtain the complete flow information of same session stream.
According to an aspect of the present invention, provide a kind of flow monitoring system, comprising: two flow monitoring groups, described stream Amount monitoring group is located at first network, and each described flow monitoring group includes: a networking device, is configured to the net of the second network Network flowing of access counts described flow monitoring group, and the information of described network access traffic is based on the data via described networking device The information acquisition of bag, described packet is sent to described first network by described second network;At least one shunts switch, with Described networking device connects, and described shunting switch is configured to obtain the mirror image of the described packet being sent by described networking device Packet;Flow analysis servers group, is connected with described shunting switch, including at least one flow analysis servers, configures Become and flow analysis is carried out according to the mirror image data bag receiving;Shunting server group, is connected with described shunting switch, including At least one shunts server, and described shunting server configures become to obtain the described mirror image data that described shunting switch sends Bag, and according to the data head of described mirror image data bag, the mirror image data bag of same session stream is sent via described shunting switch To same flow analysis servers, this flow analysis servers is located at any one of two described flow monitoring groups.
Preferably, the networking device of two described flow monitoring groups is connected with each other.
Preferably, the packet of same session stream is exchanged by the data head according to described mirror image data bag via described shunting Machine sends and includes to same flow analysis servers:
Described shunting server arranges the purpose mac ground of described mirror image data bag according to the data head of described mirror image data bag Location makes the mirror image data bag of same session stream have identical purpose mac address, and described purpose mac address is described flow analysis The mac address of server.
Preferably, described shunting server arranges the mesh of described mirror image data bag according to the data head of described mirror image data bag Mac address include:
The data of the described shunting data head based on described mirror image data bag for the server, using consistent hashing algorithm, comes The purpose mac address of described mirror image data bag is set.
Preferably, the data of the described shunting data head based on described mirror image data bag for the server, using consistent hashing Algorithm, the data to arrange the data head being based in the purpose mac address of described mirror image data bag includes:
The source ip address of described data head, source port, purpose ip address and destination interface.
Preferably, the source ip address of the data head of described mirror image data bag, source port are to send out in described second network Give ip address and the port of the terminal of the raw data packets of this mirror image data bag;
The purpose ip address of the data head of described mirror image data bag, destination interface are to receive to be somebody's turn to do in described first network The ip address of the node of the raw data packets of mirror image data bag and port.
The node being preferably located at the raw data packets receiving this mirror image data bag in described first network is in cloud platform Cloud node.
Preferably, for providing the network that the cloud platform of public service is located, described second network is mutual to described first network Networking.
Preferably, described flow analysis servers based on tcp/ip agreement tcp streaming session follow the tracks of and tcp recombinant technique Lai Carry out flow analysis.
Preferably, also include: detection information data base, connect to the flow analysis servers of two described flow monitoring groups Group, wherein, described detection information data base is used for storing flow analysis data.
According to another aspect of the invention, also provide a kind of flow monitoring method, be applied to flow monitoring system, described stream Amount monitoring system, comprising: two flow monitoring groups, described flow monitoring group is located at first network, each described flow monitoring group Including: a networking device, it is configured to for the network access traffic of the second network to count described flow monitoring group, described network is visited Ask the information of the flow information acquisition based on the packet via described networking device, described packet is sent out by described second network Deliver to described first network;At least one shunts switch, is connected with described networking device;Flow analysis servers group, with institute State shunting switch to connect, including at least one flow analysis servers;Shunting server group, with described shunting switch even Connect, shunt server including at least one, methods described includes: described shunting switch obtains by the transmission of described networking device The mirror image data bag of described packet;Described shunting server obtains the described mirror image data bag that described shunting switch sends, And according to the data head of described mirror image data bag by the mirror image data bag of same session stream via described shunting switch send to Same flow analysis servers, this flow analysis servers is located at any one of two described flow monitoring groups;Described flow Analysis server carries out flow analysis according to the mirror image data bag receiving.
Preferably, the networking device of two described flow monitoring groups is connected with each other.
Preferably, described shunting server according to the data head of described mirror image data bag by the packet warp of same session stream Sent by described shunting switch and include to same flow analysis servers:
Described shunting server arranges the purpose mac ground of described mirror image data bag according to the data head of described mirror image data bag Location makes the mirror image data bag of same session stream have identical purpose mac address, and described purpose mac address is described flow analysis The mac address of server.
Preferably, described shunting server arranges the mesh of described mirror image data bag according to the data head of described mirror image data bag Mac address include:
The data of the described shunting data head based on described mirror image data bag for the server, using consistent hashing algorithm, comes The purpose mac address of described mirror image data bag is set.
Preferably, the data of the described shunting data head based on described mirror image data bag for the server, using consistent hashing Algorithm, the data to arrange the data head being based in the purpose mac address of described mirror image data bag includes:
The source ip address of described data head, source port, purpose ip address and destination interface.
Preferably, the source ip address of the data head of described mirror image data bag, source port are to send out in described second network Give ip address and the port of the terminal of the raw data packets of this mirror image data bag;
The purpose ip address of the data head of described mirror image data bag, destination interface are to receive to be somebody's turn to do in described first network The ip address of the node of the raw data packets of mirror image data bag and port.
The node being preferably located at the raw data packets receiving this mirror image data bag in described first network is in cloud platform Cloud node.
Preferably, for providing the network that the cloud platform of public service is located, described second network is mutual to described first network Networking.
Preferably, described flow analysis servers based on tcp/ip agreement tcp streaming session follow the tracks of and tcp recombinant technique Lai Carry out flow analysis.
Compared to existing technology, advantage of the invention is that passing through to shunt the setting of server group, based on mirror image data bag Data head sends the mirror image data bag of same session stream to same flow analysis servers, and this flow analysis servers can position In any one of two flow monitoring groups, flow analysis servers can be analyzed by the complete stream obtaining same session stream with this Amount.
Brief description
Describe its example embodiment by referring to accompanying drawing in detail, above and other feature of the present invention and advantage will become Become apparent from.
Fig. 1 shows the schematic diagram of the flow monitoring system of prior art.
Fig. 2 shows the schematic diagram of flow monitoring system according to embodiments of the present invention.
The flow chart that Fig. 3 shows flow monitoring method according to embodiments of the present invention.
Specific embodiment
It is described more fully with example embodiment referring now to accompanying drawing.However, example embodiment can be with multiple shapes Formula is implemented, and is not understood as limited to embodiment set forth herein;On the contrary, these embodiments are provided so that the present invention will Fully and completely, and by the design of example embodiment comprehensively convey to those skilled in the art.Attached in figure identical Icon note represents same or similar structure, thus will omit repetition thereof.
Described feature, structure or characteristic can combine in one or more embodiments in any suitable manner In.In the following description, many details are provided thus being given, embodiments of the present invention to be fully understood.However, One of ordinary skill in the art would recognize that, there is no one of described specific detail or more, or adopt other methods, group Unit, material etc. are it is also possible to put into practice technical scheme.In other cases, it is not shown in detail or describes known features, material Material or operation are to avoid the fuzzy present invention.
Block diagram shown in accompanying drawing is only functional entity, not necessarily must be corresponding with physically separate entity. I.e., it is possible to realize these functional entitys using software form, or it is real to realize these functions in one or more integrated circuits Body, or realize these functional entitys in heterogeneous networks and/or processor device and/or microcontroller device.
The flow monitoring system of present invention offer is described with reference to Fig. 2.Fig. 2 shows stream according to embodiments of the present invention The schematic diagram of amount monitoring system.In Fig. 2, flow monitoring system includes two flow monitoring groups 200a and 200b.Two flow prisons Survey group 200a and 200b are all located at first network.Flow monitoring group 200a includes a networking device 210, at least one shunting is handed over Change planes 220, include the flow analysis servers group 240 of at least one flow analysis servers 241 and include at least one shunting The shunting server 230 of server 231.Two flow monitoring groups 200a and 200b have identical structure, are located at two respectively The quantity of each assembly of flow monitoring group can be identical or different, and the present invention is not so limited.Two flow monitoring groups The networking device 210 of 200a and 200b is connected with each other.
Networking device 210 can be the point of presence being made up of router.Networking device 210 is configured to the net of the second network Network flowing of access counts flow monitoring group 200a.Network access traffic is obtained based on the packet via networking device 210.Data Bag is sent to first network by the second network.Specifically, first network can provide the cloud platform of public service to be located Network, the second network can be made up of many Internet Service Providers (isp, internet service provider) The Internet.Correspondingly, the packet via networking device 210 can be public to providing from the terminal positioned at above-mentioned the Internet The packet that cloud node in the cloud platform of server sends.Above-mentioned network access traffic can be by positioned at above-mentioned the Internet Terminal access provides the flowing of access of the cloud node in the cloud platform of public server.In other words, above-mentioned network access traffic can To be the flow summation accessing each cloud node in the cloud platform providing public server.Above-mentioned network access traffic concrete Flow information can calculate according to the information of above-mentioned packet and obtain.
Shunting switch 220 is connected with the networking device 210 positioned at same flow monitoring group 200a.One is only illustrated in Fig. 2 Individual shunting switch 220, the present invention is not so limited, and the quantity of shunting switch 220 can be with actual demand, such as flow monitoring Depending on the scale of system, the data volume being detected.
Shunting switch 220 is configured to obtain the packet via this networking device 210 being sent by networking device 210 Mirror image data bag.Shunting switch 220 also sends mirror image data bag to shunting server group 230, and will be via shunting service The mirror image data bag of device group 230 shunting distribute flow analysis servers 241 to corresponding flow analysis servers group 240 or It is forwarded to another flow monitoring group 200b to distribute mirror image data bag to flow analysis service in another flow monitoring group 200b Flow analysis servers 241 in device group 240.
Shunting server group 230 is connected with the described shunting switch 220 positioned at same flow monitoring group 200a.Shunting clothes Business device group 230 includes at least one and shunts server 231.Only illustrate in Fig. 2 two shunting servers 231, the present invention not with This is limited, the quantity of shunting server 231 can with actual demand, as flow monitoring system scale, the data volume that detected and Fixed.
Shunting server 231 is configured to obtain and is located at the mirror that the shunting switch 220 of same flow monitoring group 200a sends As packet, and according to the data head of mirror image data bag by the mirror image data bag of same session stream via positioned at same flow monitoring The shunting switch 220 of group 200a sends to same flow analysis servers 241.This flow analysis servers 241 is located at two Any one of flow monitoring group 200a and 200b.In other words, when this flow analysis servers 241 is located at flow monitoring group 200a When, shunting switch 220 directly sends mirror image data bag to the flow analysis servers positioned at same flow monitoring group 200a 241;When this flow analysis servers 241 is located at another flow monitoring group 200b, shunting switch 220 is by this mirror image data bag Send to another flow monitoring group 200b via networking device 210, and the networking device 210 by another flow monitoring group 200b And shunting switch 220 sends to the flow analysis servers 241 of another flow monitoring group 200b.
Specifically, shunting server 231 alternately through following manner by the mirror image data bag of same session stream via Send to same flow analysis servers 241 positioned at the shunting switch 220 of same flow monitoring group 200a: shunting server 231 make the mirror image data bag of same session stream according to the purpose mac address that the data head of mirror image data bag arranges mirror image data bag There is identical purpose mac address.Set purpose mac address is the mac address of flow analysis servers.In other words, have The mirror image data bag having identical purpose mac address can be sent to same flow analysis servers.
Further, the shunting server 231 that the present invention provides can data head based on mirror image data bag, using consistent Property hash algorithm, to arrange the purpose mac address of mirror image data bag.Data using the packet needed for consistent hashing algorithm The data of head includes source ip address in data head, source port, purpose ip address and destination interface.Specifically, above-mentioned source ip ground Location, source port are the ip ground of the terminal of raw data packets sending this mirror image data bag in the second network (such as the Internet) Location and port;Above-mentioned purpose ip address, destination interface are the raw data packets receiving this mirror image data bag in first network The ip address of node and port.In one embodiment, first network is for providing the net that the cloud platform of public service is located Network, the node receiving the raw data packets of this mirror image data bag in first network is the cloud node in cloud platform.Specifically, Above-mentioned consistent hashing algorithm may include that shunting server 231 to the source ip address in data head, source port, purpose ip ground Location, after destination interface carries out xor operation, by the machine quantity modulus of the result and the flow analysis servers 241 that obtain, then By the purpose mac address of modulus result identical mirror image data bag, it is set to the mac address of same flow analysis servers. Preferably, the machine quantity of above-mentioned flow analysis servers 241 is flow analysis servers 241 in same flow monitoring group 200a Machine quantity.In some change case, the machine quantity of above-mentioned flow analysis servers 241 can also be two flow monitorings Total machine quantity of flow analysis servers 241 in group 200a.Preferably, shunting server 231 can be by mirror image data bag Purpose mac address is set to the mac address of same flow analysis servers 241 in same flow monitoring group 200a.One In a little change case, the purpose mac address of mirror image data bag can also be set to another flow monitoring group by shunting server 231 The mac address of same flow analysis servers 241 in 200b.
Flow analysis servers group 240 is connected with the shunting switch 220 positioned at same flow monitoring group 200a.Flow divides Analysis server group 240 includes at least one flow analysis servers 241.Two flow analysis servers 241 are only shown in Fig. 2, The present invention is not so limited, the quantity of flow analysis servers 241 can with actual demand, such as the scale of flow monitoring system, Depending on the data volume being detected.
Flow analysis servers 241 are configured to carry out flow analysis according to the mirror image data bag receiving.In the present invention, The mirror image data bag of same session stream can be sent to same flow analysis servers 241.Specifically, session stream refers to When two station terminals (being for example located at a terminal of the second network and the node being located at first network) mutually communicate, from the company of foundation Connect, transmit data to the process of the whole message data bag transmission disconnecting.Flow analysis servers 241 can be based on The tcp streaming session of tcp/ip agreement is followed the tracks of and tcp recombinant technique is carrying out flow analysis.Tcp streaming session is followed the tracks of and tcp restructuring skill Art can reduce whole session stream according to the data head obtaining packet, and then flow analysis servers 241 are obtained The complete flow information of same session stream.Further, after mirror image data bag reaches flow analysis servers 241, flow divides Analysis server 241 analyzes useful data and can abandon mirror image data bag after producing daily record.
As shown in Fig. 2 optional, flow monitoring system also includes detection information data base 260.Detection information data base 260 pass through the flow analysis servers group that two data transmitting servers 250 are respectively connecting to two flow monitoring groups, detection letter Breath data base 260 be used for storing flow analysis data, and can give flow analysis data display using the public clothes of offer further The client of the cloud platform of business.
Fig. 2 only schematically shows the topological diagram of the flow monitoring system of present invention offer, and it is not to the present invention Restriction, without prejudice on the premise of basic idea of the present invention, the change of each number of components, the change of form are all the present invention's In protection domain.For example, in certain embodiments, each part passes through optical fiber wired connection.In further embodiments, each part Can also wirelessly connect.The present invention is not so limited.
According to another aspect of the invention, also provide a kind of flow monitoring method for flow monitoring system.Flow is supervised Examining system can be as shown in Fig. 2 flow monitoring system includes two flow monitoring groups.Two flow monitoring groups are all located at the first net Network.Flow monitoring group includes a networking device, at least one shunting switch includes at least one flow analysis servers Flow analysis servers group and the shunting server including at least one shunting server.Two flow monitoring groups and have identical Structure, be located at respectively two flow monitoring groups the quantity of each assembly can be identical or different.The connection of each part Relation is as described above.
Flow monitoring method can be found in Fig. 3, and Fig. 3 shows the flow process of flow monitoring method according to embodiments of the present invention Figure.Fig. 3 illustrates 3 steps altogether:
Step s310: the mirror image data bag of the packet that shunting switch acquisition is sent by networking device.This packet by Second network sends to first network, and via networking device to count the network access traffic of the second network.
Step s320: shunting server obtains the mirror image data bag that shunting switch sends, and according to mirror image data bag The mirror image data bag of same session stream is sent to same flow analysis servers by data head via described shunting switch, this stream Amount Analysis server is located at any one of two described flow monitoring groups.
In conjunction with shown in Fig. 2, specifically, shunting server is to the source ip address in data head, source port, purpose ip ground Location, after destination interface carries out xor operation, then the result obtaining and the machine quantity modulus of flow analysis servers will be asked The purpose mac address of mould result identical mirror image data bag, is set to the mac address of same flow analysis servers.Preferably Ground, the machine quantity of above-mentioned flow analysis servers 241 is the machine of flow analysis servers 241 in same flow monitoring group 200a Device quantity.In some change case, the machine quantity of above-mentioned flow analysis servers 241 can also be two flow monitoring groups Total machine quantity of flow analysis servers 241 in 200a.Preferably, shunting server 231 can be by the mesh of mirror image data bag Mac address be set to the mac address of same flow analysis servers 241 in same flow monitoring group 200a.At some In change case, the purpose mac address of mirror image data bag can also be set to another flow monitoring group 200b by shunting server 231 In same flow analysis servers 241 mac address.
Step s330: flow analysis servers carry out flow analysis according to the mirror image data bag receiving.Flow analysis Server 241 can based on tcp/ip agreement tcp streaming session follow the tracks of and tcp recombinant technique carry out flow analysis.Tcp flows meeting Words are followed the tracks of and tcp recombinant technique can reduce whole session stream according to the data head obtaining packet, and then make flow analysis Server 241 can obtain the complete flow information of same session stream.
The flow chart that Fig. 3 only schematically shows the flow monitoring method of present invention offer, it is not to the present invention Restriction, without prejudice on the premise of basic idea of the present invention, the increase of step, merging, omission, order change all in the present invention Protection domain in.
Compared to existing technology, advantage of the invention is that passing through to shunt the setting of server group, based on mirror image data bag Data head sends the mirror image data bag of same session stream to same flow analysis servers, and this flow analysis servers can position In any one of two flow monitoring groups, flow analysis servers can be analyzed by the complete stream obtaining same session stream with this Amount.
Through the above description of the embodiments, those skilled in the art is it can be readily appreciated that the embodiment of the present disclosure can be led to Cross hardware to realize it is also possible to realize by way of software is with reference to necessary hardware.Therefore, the technical side of the embodiment of the present disclosure Case can be embodied in the form of software product, and it is (permissible that this software product can be stored in a non-volatile memory medium Be cd-rom, u disk, portable hard drive etc.) in, including some instructions with so that computing device (can be personal computer, Server, mobile terminal or network equipment etc.) execution is according to the method for disclosure embodiment.
It will be understood by those skilled in the art that accompanying drawing is the schematic diagram of example embodiment, the module in accompanying drawing or stream Journey is not necessarily implemented necessary to the disclosure, therefore cannot be used for limiting the protection domain of the disclosure.
It will be appreciated by those skilled in the art that above-mentioned each module can be distributed in device according to the description of embodiment, also may be used It is disposed other than in one or more devices of the present embodiment with carrying out respective change.The module of above-described embodiment can be merged into One module is it is also possible to be further split into multiple submodule.
More than it is particularly shown and described the illustrative embodiments of the present invention.It should be understood that the invention is not restricted to institute Disclosed embodiment, on the contrary, it is intended to cover and comprising various modifications within the scope of the appended claims and equivalent put Change.

Claims (19)

1. a kind of flow monitoring system is it is characterised in that include:
Two flow monitoring groups, described flow monitoring group is located at first network,
Each described flow monitoring group includes:
One networking device, is configured to for the network access traffic of the second network to count described flow monitoring group, described network is visited Ask the information of the flow information acquisition based on the packet via described networking device, described packet is sent out by described second network Deliver to described first network;
At least one shunts switch, is connected with described networking device, and described shunting switch is configured to obtain by described networking The mirror image data bag of the described packet that device sends;
Flow analysis servers group, is connected with described shunting switch, including at least one flow analysis servers, is configured to root To carry out flow analysis according to the mirror image data bag receiving;
Shunting server group, is connected with described shunting switch, shunts server including at least one, described shunting server is joined It is set to and obtain the described mirror image data bag that described shunting switch sends, and will be same according to the data head of described mirror image data bag The mirror image data bag of session stream sends to same flow analysis servers via described shunting switch, this flow analysis servers Positioned at any one of two described flow monitoring groups.
2. flow monitoring system as claimed in claim 1 is it is characterised in that the networking device phase of two described flow monitoring groups Connect.
3. flow monitoring system as claimed in claim 1 is it is characterised in that will be with according to the data head of described mirror image data bag The packet of one session stream sends via described shunting switch and includes to same flow analysis servers:
Described shunting server arranges the purpose mac address of described mirror image data bag according to the data head of described mirror image data bag, The mirror image data bag of same session stream is made to have identical purpose mac address, described purpose mac address is described flow analysis clothes The mac address of business device.
4. right will remove the flow monitoring system as described in 3 it is characterised in that described shunting server is according to described mirror image data The purpose mac address that the data head of bag arranges described mirror image data bag includes:
The data of the described shunting data head based on described mirror image data bag for the server, using consistent hashing algorithm, to be arranged The purpose mac address of described mirror image data bag.
5. flow monitoring system as claimed in claim 4 is it is characterised in that described shunting server is based on described mirror image data The data of the data head of bag, using consistent hashing algorithm, is based in the purpose mac address to arrange described mirror image data bag The data of data head include:
The source ip address of described data head, source port, purpose ip address and destination interface.
6. flow monitoring system as claimed in claim 5 it is characterised in that
The source ip address of the data head of described mirror image data bag, source port are to send this mirror image data in described second network The ip address of the terminal of raw data packets of bag and port;
The purpose ip address of the data head of described mirror image data bag, destination interface are to receive this mirror image in described first network The ip address of the node of the raw data packets of packet and port.
7. flow monitoring system as claimed in claim 6 receives this mirror image number it is characterised in that being located in described first network Node according to the raw data packets of bag is the cloud node in cloud platform.
8. the flow monitoring system as described in any one of claim 1 to 7 is it is characterised in that described first network is public for providing The network that the cloud platform of service is located altogether, described second network is the Internet.
9. the flow monitoring system as described in any one of claim 1 to 7 is it is characterised in that described flow analysis servers base Tcp streaming session in tcp/ip agreement is followed the tracks of and tcp recombinant technique to carry out flow analysis.
10. the flow monitoring system as described in any one of claim 1 to 7 is it is characterised in that also include:
Detection information data base, connects to the flow analysis servers group of two described flow monitoring groups, wherein, described detection letter Breath data base be used for storing flow analysis data.
A kind of 11. flow monitoring methods, be applied to described flow monitoring system it is characterised in that
Described flow monitoring system, comprising:
Two flow monitoring groups, described flow monitoring group is located at first network,
Each described flow monitoring group includes:
One networking device, is configured to for the network access traffic of the second network to count described flow monitoring group, described network is visited Ask the information of the flow information acquisition based on the packet via described networking device, described packet is sent out by described second network Deliver to described first network;
At least one shunts switch, is connected with described networking device;
Flow analysis servers group, is connected with described shunting switch, including at least one flow analysis servers;
Shunting server group, is connected with described shunting switch, shunts server including at least one, methods described includes:
Described shunting switch obtains the mirror image data bag of the described packet being sent by described networking device;
Described shunting server obtains the described mirror image data bag that described shunting switch sends, and according to described mirror image data bag Data head by the mirror image data bag of same session stream via described shunting switch send to same flow analysis servers, should Flow analysis servers are located at any one of two described flow monitoring groups;
Described flow analysis servers carry out flow analysis according to the mirror image data bag receiving.
12. flow monitoring methods as claimed in claim 11 are it is characterised in that the networking device of two described flow monitoring groups It is connected with each other.
13. flow monitoring methods as claimed in claim 11 are it is characterised in that described shunting server is according to described mirror image number The packet of same session stream is sent to same flow analysis servers bag by the data head according to bag via described shunting switch Include:
Described shunting server makes according to the purpose mac address that the data head of described mirror image data bag arranges described mirror image data bag The mirror image data bag of same session stream has identical purpose mac address, and described purpose mac address is described flow analysis service The mac address of device.
14. will remove the flow monitoring method as described in 13 it is characterised in that described shunting server is according to described mirror image number as right Include according to the purpose mac address that the data head of bag arranges described mirror image data bag:
The data of the described shunting data head based on described mirror image data bag for the server, using consistent hashing algorithm, to be arranged The purpose mac address of described mirror image data bag.
15. flow monitoring methods as claimed in claim 14 are it is characterised in that described shunting server is based on described mirror image number According to the data of the data head of bag, using consistent hashing algorithm, institute's base in the purpose mac address of described mirror image data bag is set In the data of data head include:
The source ip address of described data head, source port, purpose ip address and destination interface.
16. flow monitoring methods as claimed in claim 15 it is characterised in that
The source ip address of the data head of described mirror image data bag, source port are to send this mirror image data in described second network The ip address of the terminal of raw data packets of bag and port;
The purpose ip address of the data head of described mirror image data bag, destination interface are to receive this mirror image in described first network The ip address of the node of the raw data packets of packet and port.
17. flow monitoring methods as claimed in claim 16 receive this mirror image it is characterised in that being located in described first network The node of the raw data packets of packet is the cloud node in cloud platform.
18. flow monitoring methods as described in any one of claim 11 to 17 are it is characterised in that described first network is for providing The network that the cloud platform of public service is located, described second network is the Internet.
19. flow monitoring methods as described in any one of claim 11 to 17 are it is characterised in that described flow analysis servers Tcp streaming session based on tcp/ip agreement is followed the tracks of and tcp recombinant technique carries out flow analysis.
CN201610967238.0A 2016-10-28 2016-10-28 Flow monitoring system and flow monitoring method Pending CN106375160A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610967238.0A CN106375160A (en) 2016-10-28 2016-10-28 Flow monitoring system and flow monitoring method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610967238.0A CN106375160A (en) 2016-10-28 2016-10-28 Flow monitoring system and flow monitoring method

Publications (1)

Publication Number Publication Date
CN106375160A true CN106375160A (en) 2017-02-01

Family

ID=57893867

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610967238.0A Pending CN106375160A (en) 2016-10-28 2016-10-28 Flow monitoring system and flow monitoring method

Country Status (1)

Country Link
CN (1) CN106375160A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107147585A (en) * 2017-03-31 2017-09-08 北京奇艺世纪科技有限公司 A kind of flow control methods and device
CN108494657A (en) * 2018-04-08 2018-09-04 苏州云杉世纪网络科技有限公司 OpenStack cloud platform virtual probe mirror methods based on Open vSwitch
CN109873734A (en) * 2018-01-11 2019-06-11 贵州白山云科技股份有限公司 A kind of bottom data monitoring method, medium, equipment and device
CN110545213A (en) * 2019-08-12 2019-12-06 安徽云探索网络科技有限公司 Computer network data flow monitoring system and method
CN112113620A (en) * 2020-09-15 2020-12-22 甘肃盛御水利水电科技有限公司 Flow on-line monitoring system of hydraulic power plant
CN113965477A (en) * 2020-07-01 2022-01-21 慧与发展有限责任合伙企业 System and method for monitoring ingress/egress packets at a network device
CN113992699A (en) * 2021-10-28 2022-01-28 上海格尔安全科技有限公司 Cross-network full-flow data supervision method based on network card mirror image
CN114095403A (en) * 2020-07-30 2022-02-25 阿里巴巴集团控股有限公司 Network data processing system, method, network element equipment and server
CN114301960A (en) * 2021-12-15 2022-04-08 山石网科通信技术股份有限公司 Processing method and device for asymmetric flow of cluster, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296185A (en) * 2008-06-05 2008-10-29 杭州华三通信技术有限公司 Flow control method and device of equalization group
CN101335709A (en) * 2008-08-07 2008-12-31 杭州华三通信技术有限公司 Method for implementing load sharing among flow analysis servers and shunting equipment
CN102932270A (en) * 2012-11-27 2013-02-13 无锡城市云计算中心有限公司 Load balancing method and device supporting network security service
CN103782546A (en) * 2011-09-14 2014-05-07 瑞典爱立信有限公司 Network-wide flow monitoring in split architecture networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296185A (en) * 2008-06-05 2008-10-29 杭州华三通信技术有限公司 Flow control method and device of equalization group
CN101335709A (en) * 2008-08-07 2008-12-31 杭州华三通信技术有限公司 Method for implementing load sharing among flow analysis servers and shunting equipment
CN103782546A (en) * 2011-09-14 2014-05-07 瑞典爱立信有限公司 Network-wide flow monitoring in split architecture networks
CN102932270A (en) * 2012-11-27 2013-02-13 无锡城市云计算中心有限公司 Load balancing method and device supporting network security service

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107147585A (en) * 2017-03-31 2017-09-08 北京奇艺世纪科技有限公司 A kind of flow control methods and device
CN107147585B (en) * 2017-03-31 2020-02-18 北京奇艺世纪科技有限公司 Flow control method and device
CN109873734A (en) * 2018-01-11 2019-06-11 贵州白山云科技股份有限公司 A kind of bottom data monitoring method, medium, equipment and device
CN108494657A (en) * 2018-04-08 2018-09-04 苏州云杉世纪网络科技有限公司 OpenStack cloud platform virtual probe mirror methods based on Open vSwitch
CN108494657B (en) * 2018-04-08 2020-08-28 苏州云杉世纪网络科技有限公司 OpenStack cloud platform virtual probe mirroring method based on Open vSwitch
CN110545213A (en) * 2019-08-12 2019-12-06 安徽云探索网络科技有限公司 Computer network data flow monitoring system and method
CN113965477A (en) * 2020-07-01 2022-01-21 慧与发展有限责任合伙企业 System and method for monitoring ingress/egress packets at a network device
CN114095403A (en) * 2020-07-30 2022-02-25 阿里巴巴集团控股有限公司 Network data processing system, method, network element equipment and server
CN112113620A (en) * 2020-09-15 2020-12-22 甘肃盛御水利水电科技有限公司 Flow on-line monitoring system of hydraulic power plant
CN113992699A (en) * 2021-10-28 2022-01-28 上海格尔安全科技有限公司 Cross-network full-flow data supervision method based on network card mirror image
CN114301960A (en) * 2021-12-15 2022-04-08 山石网科通信技术股份有限公司 Processing method and device for asymmetric flow of cluster, electronic equipment and storage medium
CN114301960B (en) * 2021-12-15 2024-03-15 山石网科通信技术股份有限公司 Processing method and device for cluster asymmetric traffic, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN106375160A (en) Flow monitoring system and flow monitoring method
US10892964B2 (en) Systems and methods for monitoring digital user experience
US10938686B2 (en) Systems and methods for analyzing digital user experience
US10728117B1 (en) Systems and methods for improving digital user experience
JP4727275B2 (en) High-speed traffic measurement and analysis methodologies and protocols
US10212224B2 (en) Device and related method for dynamic traffic mirroring
Belenko et al. Synthetic datasets generation for intrusion detection in VANET
CN104488231B (en) Method, apparatus and system for selectively monitoring flow
EP3699766A1 (en) Systems and methods for monitoring, analyzing, and improving digital user experience
US9813447B2 (en) Device and related method for establishing network policy based on applications
CA2607603C (en) Distributed traffic analysis
ES2468793T3 (en) Traffic classification
US20160191568A1 (en) System and related method for network monitoring and control based on applications
US20170091204A1 (en) Analytics for a distributed network
CN106921572B (en) A kind of method, apparatus and system for propagating qos policy
CN109039775A (en) Quality of service monitoring method, apparatus and system
CN103004155B (en) Process is through the Network of fixing access
EP3756317B1 (en) Method, device and computer program product for interfacing communication networks
CN105071989A (en) Video content distribution quality monitoring system and monitoring method therefor
Trammell et al. mPlane: an intelligent measurement plane for the internet
CN104956625A (en) Monitoring encrypted sessions
US20160248652A1 (en) System and method for classifying and managing applications over compressed or encrypted traffic
CN102648604A (en) Method of monitoring network traffic by means of descriptive metadata
CN102124698A (en) System and method for exporting structured data in a network management environment
Udechukwu et al. Extending openflow for service insertion and payload inspection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 200433 Room 201, 10 B, 619 Longchang Road, Yangpu District, Shanghai.

Applicant after: Excellent Polytron Technologies Inc

Address before: 200433 room 1207-10, 6 Wade Road, Yangpu District, Shanghai.

Applicant before: SHANGHAI UCLOUD INFORMATION TECHNOLOGY CO., LTD.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170201